[英]Simple but secure user registration with PHP and mysqli
這是一個有點難以理解,提取和運用先進的用戶喜歡的職位提供的所有建議本或本和其他人,對於非高級用戶和我一樣。
我需要一個簡單但安全的MySQLi和PHP用戶注冊(用戶名+密碼); 我試圖遵循這些帖子中包含的建議,但是我不確定我的代碼是否可以防止注入以及是否過時:
Registration.php:
$host = "localhost";
$dbuser = "xxxx";
$dbpassword = "xxxx";
$dbname = "xxxx";
$conn = mysql_connect($host, $dbuser, $dbpassword);
if($conn == 0){
echo "Connection Failed";
}
$db_select = mysqli_select_db($dbname, $conn);
$username = mysqli_real_escape_string($_POST['username']);
$password = $POST['password'];
if($user == '' or $password == ''){
echo "Compile all!";
}else{
$query = "Insert Into 'user' ('username' , 'password') VALUES ('$username' , '$password')";
$query2 = mysqli_query($query);
echo "Registration complete";
}
它當然需要大量改進,我希望了解您的所有建議,因為我是新手。
這是我用於注冊的注冊碼。 它的工作很棒。
<?php include('header.php'); ?>
<?php
include('config.php'); // Database connection and settings
error_reporting(E_ALL);
ini_set('display_errors', 1);
if(isset($_POST['register'])){
$name = trim(mysqli_escape_string($conn,$_POST['username']));
$first_name = trim(mysqli_escape_string($conn,$_POST['first_name']));
$last_name = trim(mysqli_escape_string($conn,$_POST['last_name']));
$display_name = trim(mysqli_escape_string($conn,$_POST['display_name']));
$email = trim(mysqli_escape_string($conn,$_POST['email']));
$passwords = trim(mysqli_escape_string($conn,$_POST['password']));
$password = password_hash($passwords, PASSWORD_DEFAULT); // for Better Hashing Password
or $password = md5($passwords);
$query_verify_email = "SELECT * FROM users WHERE email ='$email'";
$verified_email = mysqli_query($conn,$query_verify_email) or die("Error: ".mysqli_error($conn));
if (!$verified_email) {
echo ' System Error';
}
if (mysqli_num_rows($verified_email) == 0) {
// Generate a unique code:
$hash = md5(uniqid(rand(), true));
$query_create_user = "INSERT INTO users ( username, email, password, hash,first_name,last_name,display_name,pic,gender,isactive)
VALUES ( '$name', '$email', '$password', '$hash','$first_name','$last_name','$display_name','','',0)";
$created_user = mysqli_query($conn,$query_create_user) or die("Error: ".mysqli_error($conn));
if (!$created_user) {
echo 'Query Failed ';
}
if (mysqli_affected_rows($conn) == 1) { //If the Insert Query was successfull.
$subject = 'Activate Your Email';
$headers = "From: admin@infotuts.com \r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
$url= 'verify.php?email=' . urlencode($email) . "&key=$hash";
$message ='<p>To activate your account please click on Activate buttton</p>';
$message.='<table cellspacing="0" cellpadding="0"> <tr>';
$message .= '<td align="center" width="300" height="40" bgcolor="#000091" style="-webkit-border-radius: 5px; -moz-border-radius: 5px; border-radius: 5px;
color: #ffffff; display: block;">';
$message .= '<a href="'.$url.'" style="color: #ffffff; font-size:16px; font-weight: bold; font-family: Helvetica, Arial, sans-serif; text-decoration: none;
line-height:40px; width:100%; display:inline-block">Click to Activate</a>';
$message .= '</td> </tr> </table>';
mail($email, $subject, $message, $headers);
echo '<div class="alert alert-success">A confirmation email
has been sent to <b>'. $email.' </b> Please click on the Activate Button to Activate your account </div>';
} else { // If it did not run OK.
echo '<div class="alert alert-info">You could not be registered due to a system
error. We apologize for any
inconvenience.</div>';
die(mysqli_error($conn));
}
}
else{
echo '<div class="alert alert-danger">Email already registered</div>';}
}
?>
<div class="row">
<div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
<form role="form" action='' method="post" enctype="multipart/form-data">
<h2>Please Sign Up <small>It's free and always will be.</small></h2>
<hr class="colorgraph">
<div class="row">
<div class="col-xs-12 col-sm-6 col-md-6">
<div class="form-group">
<input type="text" name="first_name" id="first_name" class="form-control input-lg" placeholder="First Name" tabindex="1">
</div>
</div>
<div class="col-xs-12 col-sm-6 col-md-6">
<div class="form-group">
<input type="text" name="last_name" id="last_name" class="form-control input-lg" placeholder="Last Name" tabindex="2">
</div>
</div>
</div>
<div class="form-group">
<input type="text" name="username" id="username" class="form-control input-lg" placeholder="User Name" tabindex="3">
</div>
<div class="form-group">
<input type="text" name="display_name" id="display_name" class="form-control input-lg" placeholder="Display Name" tabindex="3">
</div>
<div class="form-group">
<input type="email" name="email" id="email" class="form-control input-lg" placeholder="Email Address" tabindex="4">
</div>
<div class="row">
<div class="col-xs-12 col-sm-6 col-md-6">
<div class="form-group">
<input type="password" name="password" id="password" class="form-control input-lg" placeholder="Password" tabindex="5">
</div>
</div>
<div class="col-xs-12 col-sm-6 col-md-6">
<div class="form-group">
<input type="password" name="password_confirmation" id="password_confirmation" class="form-control input-lg" placeholder="Confirm Password" tabindex="6">
</div>
</div>
</div>
<div class="row">
<div class="col-xs-4 col-sm-3 col-md-3">
<span class="button-checkbox">
<button type="button" class="btn" data-color="info" tabindex="7">I Agree</button>
<input type="checkbox" name="t_and_c" id="t_and_c" class="hidden" value="1">
</span>
</div>
<div class="col-xs-8 col-sm-9 col-md-9">
By clicking <strong class="label label-primary">Register</strong>, you agree to the <a href="#" data-toggle="modal" data-target="#t_and_c_m">Terms and Conditions</a> set out by this site, including our Cookie Use.
</div>
</div>
<hr class="colorgraph">
<div class="row">
<div class="col-xs-12 col-md-6"><input type="submit" name='register' value="Register" class="btn btn-primary btn-block btn-lg" tabindex="7"></div>
<div class="col-xs-12 col-md-6"><a href="login.php" class="btn btn-success btn-block btn-lg">Sign In</a></div>
</div>
</form>
</div>
</div>
</div>
您的代碼有很多問題。 主要問題是您正在使用過時的數據庫連接方法(mysql_ *函數)。 您還試圖與其交換mysqli_ *函數。 我的建議是您廢棄該代碼並學習PDO。 我確信它正在成為更新的PHP版本的標准(或者有人告訴我)。
除此之外,您還要檢查數據庫連接是否有效,即使不是,該代碼也會繼續運行查詢。如果數據庫連接失敗,您對UX不太擔心,則可以打電話給die($ string); 這將殺死腳本並回顯一個字符串。 另一件事,“或”不是有效的運算符。 是|| 為或。 您還引用了一個超級全局變量錯誤。 它是“ $ _POST”,而不是“ $ POST”。 您也不會哈希密碼。 您應該查看如何對密碼進行哈希處理,但要注意諸如md5等損壞的算法。我通常傾向於使用帶有隨機字節鹽的crypt。 關於最好的爭論有很多。 但是總的來說,如果您編寫一個好的系統,那么您就不必太擔心數據“散列”(錯誤的術語)。
希望對您有所幫助。 我的建議是在沉迷於諸如登錄系統之類的項目之前更多地學習PHP,這可能會使用戶的數據面臨風險。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.